A Practical Privacy Paradigm for Wearables
* * * * * *
Only a week into 2015, and already it looks to be the year of wearable technologies. At this year’s International Consumer Electronics Show (CES), wearables and the Internet of Things have dominated the conversations and the exhibition halls. With 900 Internet of Things exhibitors at the conference, it’s clear that consumers will be offered many new ways to immerse themselves in connected life. More than just fitness bands and smartwatches, consumers will soon be reaching for “smart” tennis rackets, coffee makers, pacifiers, stovetops, and pet accessories.
However, as FTC Chairwoman Edith Ramirez reminded us all yesterday in a speech at the CES conference, the Internet of Things is a complex system with “the potential to provide enormous benefits for consumers,” but also “significant privacy and security implications.” The Chairwoman’s speech focused on three key privacy challenges arising from the IOT, as well as three key steps companies can take to enhance consumer trust and ensure that consumers will continue to adopt these new technologies. The three core privacy risks she highlighted were: “(1) ubiquitous data collection; (2) the potential for unexpected uses of consumer data that have adverse consequences; and (3) heightened security risks.” To help mitigate these risks, Ramirez believes that companies should: (1) adopt “security by design”; (2) engage in data minimization; and (3) increase transparency and provide consumers with notice and choice for unexpected data uses.
The Future of Privacy’s new paper, A Practical Privacy Paradigm for Wearables, addresses these same concerns. The paper examines how wearable technologies are challenging traditional applications of the Fair Information Privacy Principles (FIPPs) and why policymaking in this area requires a forward-thinking, flexible approach to these concerns. The FIPPs have long provided the foundation for consumer privacy protection in this country, and still embody core privacy values. However, a rigid application of them may not always be feasible in the fast-paced world of wearables and the nascent IOT. Both the technologies and social norms around these devices are developing quickly, and holding innovative new designs and data uses to privacy standards developed for other industries could stymie the next technological revolution.
We certainly agree with Chairwoman Ramirez that the IOT creates new and challenging privacy risks, and that traditional privacy principles like notice and choice and data minimization will play an important role in these spaces. However, we urge policymakers to take a nuanced approach to the application of these principles to wearable devices, particularly in these early days of their development. As the Chairwoman noted, it will take the “ingenuity, design acumen, and technical know-how” to provide consumers with useful notice and choice for their wearables. Wearables come with as many shapes and sizes as consumers, and one-size-fits-all solutions will not be feasible.
Another challenging issue our paper examines is the intersection of wearables and Big Data, as wearables’ capacity for granular ubiquitous data collection both opens the door to new and important health, efficiency, and personal benefits, but also to significant privacy risks. We agree with the Chairwoman’s caution against collecting and holding consumer information on the mere off-chance that it could become valuable someday. However, we also believe that novel data uses do sometimes develop from data collection that is based on speculative or “pure research” purposes and that allowing for these uses is essential. In order to unleash the benefits of big data, researchers and organizations need the opportunity to look for unanticipated insights in datasets like those that might be created by consumers utilizing their wearables to ubiquitously track their own activities.
Rather than immediately imposing restrictions on data collection, we believe organizations should engage in comprehensive risk-benefit analyses of both the potential risks and potential rewards of putting data to a particular use. FPF has previously published a methodology for this sort of serious assessment in our paper Benefit-Risk-Analysis for Big Data. By identifying and quantifying both the risks and benefits of handling data in a particular manner, companies can more rationally determine when a certain use is appropriate or when to scale back data collection. “Trust us” is not a sufficient rationale for careless handling of consumer data by companies, and comprehensive risk-benefit analysis prevents thoughtless decision-making. By engaging in case-by-case balancing, we can allow for novel data uses and big data breakthroughs only when and where the benefits to individuals and society outweigh their risks.
In addition to examining the need for common sense applications of the FIPPs, the paper presents a variety of industry solutions necessary to support such a framework. We wholeheartedly support the Commissioner’s call for security-by-design, recommending that “organizations be prepared to defend consumers’ personal data against both internal threats, such as curious employees, and external threats, such as hackers or scammers,” as well as her recommendation that organizations engage in practical de-identification practices. We also suggest companies respect the context of data collection, be transparent about how they use consumers’ personal information, provide reasonable individual access to data, and help develop binding codes of conduct for wearables.
2015 may be the year that wearables go mainstream, both for consumers and for privacy professionals and policymakers. While companies continue to develop new ways to connect our digital and physical worlds, there are many more discussions to be had about how these devices will fit into our lives. The wearables industry needs time to mature, and users need time to learn what they want and expect their wearables to do for them and with their personal information. Already, companies and platforms, such as Apple HealthKit and Google Fit, are developing baseline rules to protect consumers’ privacy. Moving forward, we urge policymakers to adopt a forward-thinking, common sense application of the FIPPs in the wearables space.
– Kelsey Finch